Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1484566
Summary: | Multiple 'map' denials prevent Cockpit from working | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Adam Williamson <awilliam> |
Component: | selinux-policy-targeted | Assignee: | Lukas Vrabec <lvrabec> |
Status: | CLOSED ERRATA | QA Contact: | Ben Levenson <benl> |
Severity: | urgent | Docs Contact: | |
Priority: | unspecified | ||
Version: | 27 | CC: | dwalsh, kparal, mpitt, robatino, sgallagh, stefw |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | AcceptedBlocker | ||
Fixed In Version: | selinux-policy-3.13.1-279.fc27 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2017-09-09 04:11:30 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 1396702 |
Description
Adam Williamson
2017-08-23 21:08:46 UTC
Note for Cockpit folks: just CCing you on this for information. SELinux has added a new 'map' permission recently, and we're getting tons of denials for it, breaking all kinds of stuff. Discussed during blocker review [1]: AcceptedBlocker (Beta) - clear violation of Alpha criterion "Unless explicitly specified otherwise, after system installation the Cockpit web management interface must be running and accessible on its default port (9090)" [1] https://meetbot-raw.fedoraproject.org/fedora-blocker-review/2017-09-04/ Cockpit still fails to start with selinux-policy-3.13.1-277.fc27 , with these denials: Sep 03 14:36:52 localhost.localdomain audit[1715]: AVC avc: denied { map } for pid=1715 comm="cockpit-ws" path="/usr/share/cockpit/static/login.po.html" dev="dm-0" ino=4573538 scontext=system_u:system_r:cockpit_ws_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=0 Sep 03 14:36:52 localhost.localdomain audit[1715]: AVC avc: denied { map } for pid=1715 comm="cockpit-ws" path="/usr/share/cockpit/static/login.min.html" dev="dm-0" ino=4573529 scontext=system_u:system_r:cockpit_ws_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=0 Sep 03 14:36:52 localhost.localdomain audit[1715]: AVC avc: denied { map } for pid=1715 comm="cockpit-ws" path="/usr/share/cockpit/static/fonts/OpenSans-Regular-webfont.woff" dev="dm-0" ino=8560638 scontext=system_u:system_r:cockpit_ws_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=0 Sep 03 14:36:52 localhost.localdomain audit[1715]: AVC avc: denied { map } for pid=1715 comm="cockpit-ws" path="/usr/share/cockpit/static/fonts/OpenSans-Light-webfont.woff" dev="dm-0" ino=8560636 scontext=system_u:system_r:cockpit_ws_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=0 Sep 03 14:36:52 localhost.localdomain audit[1715]: AVC avc: denied { map } for pid=1715 comm="cockpit-ws" path="/usr/share/icons/hicolor/16x16/apps/fedora-logo-icon.png" dev="dm-0" ino=4558008 scontext=system_u:system_r:cockpit_ws_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=0 Sep 03 14:36:52 localhost.localdomain audit[1715]: AVC avc: denied { map } for pid=1715 comm="cockpit-ws" path="/usr/share/icons/hicolor/16x16/apps/fedora-logo-icon.png" dev="dm-0" ino=4558008 scontext=system_u:system_r:cockpit_ws_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=0 selinux-policy-3.13.1-279.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2017-bf736ee273 selinux-policy-3.13.1-280.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2017-edf1be580e selinux-policy-3.13.1-280.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-edf1be580e selinux-policy-3.13.1-280.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report. |